CN105468295B - A kind of security protection access method and system for realizing object storage - Google Patents

A kind of security protection access method and system for realizing object storage Download PDF

Info

Publication number
CN105468295B
CN105468295B CN201510781188.2A CN201510781188A CN105468295B CN 105468295 B CN105468295 B CN 105468295B CN 201510781188 A CN201510781188 A CN 201510781188A CN 105468295 B CN105468295 B CN 105468295B
Authority
CN
China
Prior art keywords
client
certificate
access
meta data
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201510781188.2A
Other languages
Chinese (zh)
Other versions
CN105468295A (en
Inventor
冯丹
吴锋
胡燏翀
王阿孟
文可
肖仁智
张晓阳
常栓霞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huazhong University of Science and Technology
Original Assignee
Huazhong University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huazhong University of Science and Technology filed Critical Huazhong University of Science and Technology
Priority to CN201510781188.2A priority Critical patent/CN105468295B/en
Publication of CN105468295A publication Critical patent/CN105468295A/en
Application granted granted Critical
Publication of CN105468295B publication Critical patent/CN105468295B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/062Securing storage systems
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/60Protecting data
    • G06F21/62Protecting access to data via a platform, e.g. using keys or access control rules
    • G06F21/6218Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0602Interfaces specially adapted for storage systems specifically adapted to achieve a particular effect
    • G06F3/0614Improving the reliability of storage systems
    • G06F3/0617Improving the reliability of storage systems in relation to availability
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F3/00Input arrangements for transferring data to be processed into a form capable of being handled by the computer; Output arrangements for transferring data from processing unit to output unit, e.g. interface arrangements
    • G06F3/06Digital input from, or digital output to, record carriers, e.g. RAID, emulated record carriers or networked record carriers
    • G06F3/0601Interfaces specially adapted for storage systems
    • G06F3/0668Interfaces specially adapted for storage systems adopting a particular infrastructure
    • G06F3/067Distributed or networked storage systems, e.g. storage area networks [SAN], network attached storage [NAS]
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F2221/00Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/21Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F2221/2141Access rights, e.g. capability lists, access control lists, access tables, access matrices

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Human Computer Interaction (AREA)
  • Bioethics (AREA)
  • Software Systems (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Health & Medical Sciences (AREA)
  • Health & Medical Sciences (AREA)
  • Databases & Information Systems (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention provides a kind of security protection access method for realizing object storage, comprising: client obtains access certificate from certificate server, and itself and access request are sent at least three meta data servers together;After meta data server checks the validity of access certificate and access request, processing is carried out according to access request type and returns to corresponding metadata information to client;After client receives metadata information, to object storage device request data, object storage device can verify client after receiving request, and client can be sent the data to after.Correspondingly the present invention also provides a kind of security protections for realizing object storage to access system.The meta data server that the present invention passes through the multiple and different systems of setting, it is diversified simultaneously in the system of realization, the safety for enhancing system reliability and data storage access enhances the security performance of data access additionally by the certificate server of setting to client certificate.

Description

A kind of security protection access method and system for realizing object storage
Technical field
The present invention relates to computer fields, and in particular to a kind of security protection access method and be for realizing that object stores System.
Background technique
With the universal and rapid development of Internet and network application, increasingly increased number of users, data distribution Regional space is more wide, data storage capacity explosive increase, and higher and higher data reliability requires and access data Device category is increasing, proposes test to data-storage system and data safety.
The tremendous expansion of computer and network technologies has pushed being constantly progressive for file system perfect.It is deposited using distribution The big data for the generation that storage (such as SAN and NAS) can be stored effectively.In face of mass data, to also having for the processing capacities of data High requirement, an efficient file system can bring apparent performance boost.
Parallel file system (provides the NAS of file I/O and the SAN of block I/O compared to direct for user or application server Compared to) there is larger performance boost for the access of data.The metadata and data separating of parallel file system access, and compose a piece of writing Part system can be extended power system capacity by increasing the quantity of I/O node under the premise of not influencing global space management, And by increasing meta data server to form Metadata server cluster, system can support more massive metadata management; Parallel file system can provide the redundant storage of metadata simultaneously, it is possible to provide highly reliable service;Parallel file system is not deposited In single point failure problem, important node and link can carry out redundancy between multiple I/O nodes with redundant configuration, significant data Storage and automated back-up restore, and therefore, parallel file system has higher reliabilty and availability;Parallel file system simultaneously Metadata is left concentratedly, is also beneficial to be managed collectively.
The appearance of object storage system effectively combines the advantages of NAS and SAN, not with traditional block storage and file storage Together, data are organized as unit of object and accessed to the object storage device in object storage system, and externally providing has abundant language The object interface of justice, is internally responsible for the internal disk space management of all objects.Due to the intelligence of object storage device, establish Parallel file system on object storage device, i.e. object-based storage system are simpler and are easily managed, and object The rich properties and elongated feature for being included make object storage support more complicated powerful file division function and flexible System, the result is that object-based storage system scalability, performance, safety and in terms of have improvement.
The data and metadata of object storage system are separation storages, centrally stored due to metadata, although convenient for pipe Reason, but when data volume increases, access request increases, in order to meet capacity and I/O bandwidth, as the key component of system, pressure It can increase suddenly.The access technique of existing object storage device has the following deficiencies: (1) as access request increases, and object is deposited Meta data server in storage system will appear delay machine phenomenon, and the probability of the system failure can increase with it;(2) since storage is crucial The equipment of data is easier to become the main object of data theft, and general object storage system, and use is per family directly to first number Metadata is obtained according to server, meta data server is directly exposed to outside, there is greater risk.
Summary of the invention
For the disadvantages described above or deficiency of the prior art, the present invention provides a kind of security protection access for realizing object storage Method and system, wherein provide access service by setting at least three meta data servers for client, realize object and deposit The diversification of storage system increases the reliability of system;Authentication management is carried out to client by certificate server, while to member Data server carries out traffic monitoring, significantly improves the safety of data access.By executing the scheme in the present invention, significantly The probability for reducing object storage system failure further ensures object storage system service quality.
To achieve the above object, the invention proposes a kind of security protection access method for realizing object storage, features It is, which comprises
(1) client obtains access certificate from certificate server;
(2) access certificate and access request that client will acquire are sent at least three meta data servers together;
(3) it after the validity of meta data server inspection access certificate and access request, is carried out according to access request type Processing: if access request is request of data, relevant metadata information is returned to client, executes step (5)-(6);If visiting It asks that request is that permission operational order is requested, then after meta data server makes authorization decision, Authorization result is sent to object Equipment is stored, is executed step (4), while returning to relevant metadata information to client, executes step (5)-(6);
(4) object storage device modifies to the permissions list locally saved;
(5) client receives the metadata information reached at first, abandons other meta data servers for being directed to same request The metadata information of transmission;
(6) after client receives metadata information, to object storage device request data, object storage device receives request After user can be verified, user can be sent the data to after.
As it is further preferred that the step (1) includes: firstly, client and certificate server consult session key; After the session key encrypted certificate that certificate server is negotiated, it is sent to client, the session key docking that client is negotiated The encrypted certificate of receipts is decrypted.
As it is further preferred that in step (3), the meta data server checks access certificate and access request Validity specifically includes:
(3-1) checks client access certificate according to user's revocation list for locally saving, in user's revocation list Preserve expired user or inactive users;
(3-2) carries out scope check, if permission is legal, root if access certificate is effective, to client access request It is handled according to access request type;Otherwise, then error message is returned.
As it is further preferred that the operating system of at least three meta data servers is different.
As it is further preferred that being monitored to the meta data server turn-on flow rate, periodically to member number each in period T It is compared according to the flow of server, if monitoring the data volume of any one meta data server than other Metadata Services When the data volume of device is more, then judge that the meta data server in leak data, then closing the meta data server, and is System safety inspection, reconfigures the environment of the meta data server, then restores data starting.
To achieve the above object, the present invention also provides a kind of security protections for realizing object storage to access system, including An at least client Client, at least three meta data server MDS, certificate server TA, at least an object storage are set Standby OSD, which is characterized in that
The client, for obtaining access certificate from certificate server, and the access certificate that will acquire and access are asked It asks and is sent at least three meta data servers together;It is also used to receive the metadata information reached at first, abandons other yuan of number According to the metadata information that server is sent, metadata information is to object storage device request data based on the received, and receives pair The corresponding data returned as storage equipment;
The certificate server, for sending access certificate to client and assisting meta data server inspection access card Book;
The meta data server, after the validity for checking access certificate and access request, according to access request class Type is handled: if access request is request of data, returning to relevant metadata information to client;If access request is power Operational order request is limited, then after meta data server makes authorization decision, Authorization result is sent to object storage device, together When return to relevant metadata information to client;
The object storage device, the Authorization result sent for receiving the meta data server, and tied according to authorization Fruit modifies to the permissions list locally saved;It is also used to carry out client after receiving the request of data that client is sent Verifying, is sent to client for corresponding data after being verified.
As it is further preferred that the client and the certificate server consult session key;The authentication service After the session key encrypted certificate that device is negotiated, it is sent to client, the session key that the client is negotiated is to received Encrypted certificate is decrypted.
As it is further preferred that the meta data server, for checking the validity of access certificate and access request, Specifically include: the meta data server checks client access certificate, the use according to the user's revocation list locally saved Expired user or inactive users are preserved in the revocation list of family;If access certificate is effective, permission inspection is carried out to access request It looks into, if permission is legal, is handled according to access request type;Otherwise, then error message is returned.
As it is further preferred that the operating system of at least three meta data servers is different.
As it is further preferred that being flowed the system also includes monitoring module for being opened to the meta data server Amount monitoring, periodically compares the flow of each meta data server in period T, if monitoring any one metadata clothes Be engaged in device data volume than other meta data servers data volume more than when, then judge the meta data server in leak data, that The meta data server is closed, and carries out system safety inspection, the environment of the meta data server is reconfigured, then restores Data starting.
In general, it is put above technical scheme is compared with the prior art according to the present invention, mainly has technology below Advantage:
1, the present invention is by setting at least three meta data servers, when any one server breaks down, for The access request service of client is unaffected, meanwhile, meta data server does not need the synchronous operation of data yet, drops significantly The low probability of the system failure, further ensures object storage system service quality, improves the reliability of data access;
2, in addition, the present invention authenticates client by certificate server, prevent illegal user's login system from obtaining Data;Traffic monitoring is carried out to meta data server simultaneously, is compared, discovery immediately, and executes cleaning operation, then restores Data are reworked, and the safety of data access is significantly improved.
Detailed description of the invention
Fig. 1 is a kind of basic structure schematic diagram of security protection access system for realizing object storage
Fig. 2 is a kind of data flow schematic diagram of security protection access method for realizing object storage
Fig. 3 is a kind of flow monitoring schematic diagram of security protection access system for realizing object storage
Fig. 4 is a kind of flow monitoring flow chart of security protection access method for realizing object storage
Specific embodiment
In order to make the objectives, technical solutions, and advantages of the present invention clearer, with reference to the accompanying drawings and embodiments, right The present invention is further elaborated.It should be appreciated that the specific embodiments described herein are merely illustrative of the present invention, and It is not used in the restriction present invention.
The technical scheme is that realize in the following way, the physical environment and framework of system are as follows:
3 meta data server MDS are selected, the system of operation is Fedora, Centos, redhat respectively;More objects Store equipment OSD, system Fedora;1 certificate server TA, system are redhat or Fedora;More client computer Client, system Fedora.Storage system is OBS object storage system.Flow monitoring tool is tcpdump.It is taken in environment After building up, three MDS are mounted to client computer.
As shown in Figure 1, the present invention provides a kind of security protections for realizing object storage to access system, including at least one Client Client, at least three meta data server MDS, certificate server TA, at least an object storage device OSD, It is characterized in that,
The client, for obtaining access certificate from certificate server, and the access certificate that will acquire and access are asked It asks and is sent at least three meta data servers together;It is also used to receive the metadata information reached at first, abandons other yuan of number According to the metadata information that server is sent, metadata information is to object storage device request data based on the received, and receives pair The corresponding data returned as storage equipment;
The certificate server, for sending access certificate to client and assisting meta data server inspection access card Book;
The meta data server, after the validity for checking access certificate and access request, according to access request class Type is handled: if access request is request of data, returning to relevant metadata information to client;If access request is power Operational order request is limited, then after meta data server makes authorization decision, Authorization result is sent to object storage device, together When return to relevant metadata information to client;
The object storage device, the Authorization result sent for receiving the meta data server, and tied according to authorization Fruit modifies to the permissions list locally saved;It is also used to carry out client after receiving the request of data that client is sent Verifying, is sent to client for corresponding data after being verified.
As it is further preferred that the client and the certificate server consult session key;The authentication service After the session key encrypted certificate that device is negotiated, it is sent to client, the session key that the client is negotiated is to received Encrypted certificate is decrypted.
As it is further preferred that the meta data server, for checking the validity of access certificate and access request, Specifically include: the meta data server checks client access certificate, the use according to the user's revocation list locally saved Expired user or inactive users are preserved in the revocation list of family;If access certificate is effective, permission inspection is carried out to access request It looks into, if permission is legal, is handled according to access request type;Otherwise, then error message is returned.
As it is further preferred that the operating system of at least three meta data servers is different.
As it is further preferred that being flowed the system also includes monitoring module for being opened to the meta data server Amount monitoring, periodically compares the flow of each meta data server in period T, if monitoring any one metadata clothes Be engaged in device data volume than other meta data servers data volume more than when, then judge the meta data server in leak data, that The meta data server is closed, and carries out system safety inspection, the environment of the meta data server is reconfigured, then restores Data starting.
The invention also provides a kind of security protection access methods for realizing object storage, which is characterized in that the method Include:
(1) client obtains access certificate from certificate server;
User logs in client computer, inputs the user name and password;Certification request is sent to certificate server TA, TA determines user After legal, a certificate can be sent to user, user relies on certificate to metadata server cluster request data.TA can with Family revocation information is sent to meta data server, so that meta data server authenticates user.Wherein, client and certification Server consult session key first;After the session key encrypted certificate that certificate server is negotiated, it is sent to client, client Received encrypted certificate is decrypted in the session key that end is negotiated.
(2) access certificate and access request that client will acquire are sent at least three meta data servers, institute together The operating system for stating at least three meta data servers is different;
(3) it after the validity of meta data server inspection access certificate and access request, is carried out according to access request type Processing: if access request is request of data, relevant metadata information is returned to client, executes step (5)-(6);If visiting It asks that request is that permission operational order is requested, then after meta data server makes authorization decision, Authorization result is sent to object Equipment is stored, is executed step (4), while returning to relevant metadata information to client, executes step (5)-(6);
The meta data server checks the validity of access certificate and access request, specifically includes:
(3-1) checks client access certificate according to user's revocation list for locally saving, in user's revocation list Preserve expired user or inactive users;
(3-2) carries out scope check, if permission is legal, root if access certificate is effective, to client access request It is handled according to access request type;Otherwise, then error message is returned.User only receives that most fast meta data server of return Data certificate and necessary security parameter are sent to object storage device OSD then by data operation commands.
(4) object storage device modifies to the permissions list locally saved;
(5) client receives the metadata information reached at first, abandons the metadata letter of other meta data servers transmission Breath;
(6) after client receives metadata information, to object storage device request data, object storage device receives request After user can be verified, user can be sent the data to after.
User only receives the metadata information reached at first, then joins data operation commands, certificate and necessary safety Number is sent to object storage device OSD;After object storage device OSD receives request, the certificate of user is checked, confirmation is used The identity at family is determined according to grant column list to make authorization to user.If receiving and being data operation commands that client computer is sent Return to the data of user's request;If what is received is the pre-authorization order that meta data server is sent, to the pre-granted being locally stored It weighs list and carries out corresponding operation.
In conjunction with the data flow in Fig. 2, the above method is specifically described.
1. user requests certificate to certificate server, data are stolen in order to prevent, and user can first assist with certificate server Quotient's session key passes through session key encrypted certificate;After certificate server session key encrypted certificate, it is sent to user, is used After family receives the certificate of encryption, it is decrypted with the cipher key pair certificate of negotiation.
2. after user decrypts certificate, request and certificate are packaged into command description symbol, while issuing 3 Metadata Services Device, each meta data server can all respond the request of user, specific steps: the first step checks the certificate of user, There is a user's revocation list on every meta data server, preservation is expired user or invalid user.Second Step can carry out scope check to the request of user, error message is returned if going beyond one's commission if the certificate of user is effective. Third step can parse the command if permission is legal, return to relevant metadata information according to command type.
User terminal will receive the response of 3 meta data servers transmission, but only to receive portion most fast by user, and in addition two A discarding.The benefit done so ensure that performance to greatest extent, while meta data server end can all handle user's request, So the data on 3 meta data servers are consistent always.
3. after user has obtained the metadata of meta data server transmission, request data, object storage can be stored to object Equipment can verify user after receiving request, and user can be sent the data to after.
4. the user certificate list of maintenance can be sent to meta data server by certificate server, verifying foundation is provided;
5. permission operational order, then meta data server can be according to preservation when the request not instead of request of data of user Global access control list make authorization decision, send result to object storage device.Equipment is stored then to the power of preservation Limit list is modified accordingly.
In addition, as shown in Figure 3-4, in technical solution proposed by the present invention, also opening stream to the meta data server Amount monitoring, periodically compares the flow of each meta data server in period T, if monitoring any one metadata clothes Be engaged in device data volume than other meta data servers data volume more than when, then judge the meta data server in leak data, that The meta data server is closed, and carries out system safety inspection, the environment of the meta data server is reconfigured, then restores Data starting.
In this process, monitoring module can write down the data volume of each meta data server outflow, so as to the stage of progress The comparison of property, discovers whether abnormal meta data server.
Data volume is sent than other that servers more than two if having found by the flow monitoring of tcpdump, It will then be turned off, be cleared up immediately, reduction server to pure state.
When a machine because needing to restart again, it would be desirable to by data after failure or leak data are closed Restored, needs to guarantee that the data of three meta data servers are the same.In an arrangement, it is taken in the metadata of failure When device recovery data of being engaged in, server can work on, but failed machines are being closed between reworking User's request is recorded, and is re-operated one time;In another scheme, when the meta data server of failure restores data It waits, server can work on, but failed machines are recorded in the user's request closed between reworking, The order for reading data can filter out, and request is classified with filename, delete command is handled at first, if finally there is deletion Order does not just have to the order before operation, directly execution delete command, followed by write order and modification order.
The present invention data access critical path carry out redundancy, can tolerate meta data server continuously go bad two without Function is influenced, there is very strong reliability;The present invention uses the scheme of multisystem isomery to the component on crucial path, increases The diversity of system greatly reduces because the attack of a certain particular system leads to the completely obsolete risk of system, has very strong Defense function;The present invention by increase a flow monitoring module, can by compare 3 meta data servers flow, from And meta data server under attack can be found, and then close this meta data server, therefore have certain killing function. Therefore, the present invention has very high reliability and safety.
As it will be easily appreciated by one skilled in the art that the foregoing is merely illustrative of the preferred embodiments of the present invention, not to The limitation present invention, any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should all include Within protection scope of the present invention.

Claims (8)

1. a kind of security protection access method for realizing object storage, which is characterized in that the described method includes:
(1) client obtains access certificate from certificate server;
(2) access certificate and access request that client will acquire are sent at least three meta data servers together;
(3) it after the validity of meta data server inspection access certificate and access request, is handled according to access request type: If access request is request of data, relevant metadata information is returned to client, executes step (5)-(6);If access is asked It asks and Authorization result is sent to object storage then after meta data server makes authorization decision for the request of permission operational order Equipment executes step (4), while returning to relevant metadata information to client, executes step (5)-(6);
(4) object storage device modifies to the permissions list locally saved;
(5) client receives the metadata information reached at first, other meta data servers abandoned for same request are sent Metadata information;
(6) after client receives metadata information, to object storage device request data, object storage device receives meeting after request Client is verified, client can be sent the data to after;
While executing step (1)~(6), the meta data server turn-on flow rate is detected, periodically to each member in period T The flow of data server compares, if monitoring that the data volume of any one meta data server takes than other metadata When the data volume of business device is more, then judge that the meta data server in leak data, then closing the meta data server, and carries out System safety inspection reconfigures the environment of the meta data server, then restores data starting.
2. the method according to claim 1, wherein the step (1) includes: firstly, client and certification clothes Business device consult session key;After the session key encrypted certificate that certificate server is negotiated, it is sent to client, client association Received encrypted certificate is decrypted in the session key of quotient.
3. the method according to claim 1, wherein the meta data server inspection accesses in step (3) The validity of certificate and access request, specifically includes:
(3-1) checks client access certificate according to the user's revocation list locally saved, saves in user's revocation list There are expired user or inactive users;
(3-2) carries out scope check if access certificate is effective, to client access request, if permission is legal, according to visit Ask that request type is handled;Otherwise, then error message is returned.
4. the method according to claim 1, wherein the operating system of at least three meta data servers is not Together.
5. a kind of security protection access system for realizing object storage, including an at least client Client, at least three members Data server MDS, certificate server TA, at least an object storage device OSD, which is characterized in that
The client, for obtaining access certificate, and the access certificate and access request one that will acquire from certificate server It rises and is sent at least three meta data servers;It is also used to receive the metadata information reached at first, abandons other metadata clothes The metadata information that business device is sent, metadata information is to object storage device request data based on the received, and receives object and deposit Store up the corresponding data that equipment returns;
The certificate server, for sending access certificate to client and meta data server being assisted to check access certificate;
The meta data server, after the validity for checking access certificate and access request, according to access request type into Row processing: if access request is request of data, relevant metadata information is returned to client;If access request is permission behaviour Make command request, then after meta data server makes authorization decision, Authorization result is sent to object storage device, is returned simultaneously Relevant metadata information is returned to client;
The object storage device, the Authorization result sent for receiving the meta data server, and according to Authorization result pair The permissions list locally saved is modified;It is also used to test client after receiving the request of data that client is sent Card, is sent to client for corresponding data after being verified;
The system also includes monitoring modules, for monitoring to the meta data server turn-on flow rate, periodically in period T The flow of each meta data server compares, if monitoring than other yuan number of data volume of any one meta data server When more according to the data volume of server, then the meta data server is judged in leak data, then close the meta data server, and Carry out system safety inspection, reconfigures the environment of the meta data server, then restores data starting.
6. system according to claim 5, which is characterized in that the client and the certificate server consulting session are close Key;After the session key encrypted certificate that the certificate server is negotiated, it is sent to client, the meeting that the client is negotiated The words received encrypted certificate of key pair is decrypted.
7. system according to claim 5, which is characterized in that the meta data server, for check access certificate and The validity of access request, specifically includes:
The meta data server checks client access certificate, user's revocation according to the user's revocation list locally saved Expired user or inactive users are preserved in list;
If access certificate is effective, to access request carry out scope check, if permission is legal, according to access request type into Row processing;Otherwise, then error message is returned.
8. system according to claim 5, which is characterized in that the operating system of at least three meta data servers is not Together.
CN201510781188.2A 2015-11-14 2015-11-14 A kind of security protection access method and system for realizing object storage Active CN105468295B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201510781188.2A CN105468295B (en) 2015-11-14 2015-11-14 A kind of security protection access method and system for realizing object storage

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201510781188.2A CN105468295B (en) 2015-11-14 2015-11-14 A kind of security protection access method and system for realizing object storage

Publications (2)

Publication Number Publication Date
CN105468295A CN105468295A (en) 2016-04-06
CN105468295B true CN105468295B (en) 2019-03-05

Family

ID=55606048

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201510781188.2A Active CN105468295B (en) 2015-11-14 2015-11-14 A kind of security protection access method and system for realizing object storage

Country Status (1)

Country Link
CN (1) CN105468295B (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10380100B2 (en) * 2016-04-27 2019-08-13 Western Digital Technologies, Inc. Generalized verification scheme for safe metadata modification
CN106250762A (en) * 2016-07-18 2016-12-21 乐视控股(北京)有限公司 For the method and system preventing storage object from illegally quoting
US10320572B2 (en) * 2016-08-04 2019-06-11 Microsoft Technology Licensing, Llc Scope-based certificate deployment
CN106506668B (en) * 2016-11-23 2019-07-16 浪潮云信息技术有限公司 A method of object storage is realized based on distributed storage
US10348764B2 (en) * 2017-06-28 2019-07-09 GM Global Technology Operations LLC System and method for intercepting encrypted traffic and indicating network status
CN109218425A (en) * 2018-09-17 2019-01-15 苏州爱开客信息技术有限公司 Distributed intelligence shutdown system
CN112783822B (en) * 2019-11-04 2023-11-03 上海云教信息技术有限公司 Data harvesting method and device for decentralizing scientific data sharing platform
CN111131441A (en) * 2019-12-21 2020-05-08 西安天互通信有限公司 Real-time file sharing system and method
CN111245933A (en) * 2020-01-10 2020-06-05 上海德拓信息技术股份有限公司 Log-based object storage additional writing implementation method
CN114117507B (en) * 2020-08-28 2024-01-30 中国电信股份有限公司 Object storage system, access control method and device thereof, and storage medium
CN112910868A (en) * 2021-01-21 2021-06-04 平安信托有限责任公司 Enterprise network security management method and device, computer equipment and storage medium
CN112947864B (en) * 2021-03-29 2024-03-08 南方电网数字平台科技(广东)有限公司 Metadata storage method, apparatus, device and storage medium
CN115174602B (en) * 2022-06-30 2023-04-18 浙江蓝景科技有限公司 Data processing method and system applied to fishery management

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101605137A (en) * 2009-07-10 2009-12-16 中国科学技术大学 Safe distribution file system
CN101997823A (en) * 2009-08-17 2011-03-30 联想(北京)有限公司 Distributed file system and data access method thereof
CN104320401A (en) * 2014-10-31 2015-01-28 北京思特奇信息技术股份有限公司 Big data storage and access system and method based on distributed file system

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103617308B (en) * 2013-10-30 2016-06-08 河海大学 A kind of construction method of wind power plant frequency domain equivalent model

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101605137A (en) * 2009-07-10 2009-12-16 中国科学技术大学 Safe distribution file system
CN101997823A (en) * 2009-08-17 2011-03-30 联想(北京)有限公司 Distributed file system and data access method thereof
CN104320401A (en) * 2014-10-31 2015-01-28 北京思特奇信息技术股份有限公司 Big data storage and access system and method based on distributed file system

Also Published As

Publication number Publication date
CN105468295A (en) 2016-04-06

Similar Documents

Publication Publication Date Title
CN105468295B (en) A kind of security protection access method and system for realizing object storage
CN106060796B (en) The backup destroying method and device of terminal
CN101764819B (en) For detecting the method and system of man-in-the-browser attacks
KR101431333B1 (en) System and method of data federation module for sociality storage service on cloud computing
CN110489996B (en) Database data security management method and system
US9594922B1 (en) Non-persistent shared authentication tokens in a cluster of nodes
CN105511805A (en) Data processing method and device for cluster file system
JP2008537203A (en) Disaster recovery framework
US8719923B1 (en) Method and system for managing security operations of a storage server using an authenticated storage module
US20040111391A1 (en) Command processing system by a management agent
CN105430016A (en) Network access authentication method and system
US20120331538A1 (en) Method and communication device for accessing to devices in security
CN105553783A (en) Automated testing method for switching of configuration two-computer resources
CN104219080A (en) Method for recording logs of error pages of websites
CN112769932A (en) Distributed cloud storage system based on block chain and data separation
CN103297441A (en) Access control method and device
CN109889518A (en) A kind of encryption storage method
CN109815725B (en) System and method for realizing data safety processing
CN111371588A (en) SDN edge computing network system based on block chain encryption, encryption method and medium
CN113961892A (en) Account security control method and system, readable storage medium and computer equipment
US20140007197A1 (en) Delegation within a computing environment
CN101408955A (en) Method and system determining obligation base on tactic
CN111488597B (en) Safety audit system suitable for cross-network safety area
CN107172078B (en) Security management and control method and system of core framework platform based on application service
CN113765672A (en) Medical attribute token access control method, system, storage medium and electronic device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant